Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #88

November 04, 2011

A present from SANS for everyone who signs up for an OnDemand class in
the next 3 weeks (before Nov. 23): A MacBook Air. I pushed a little for
this. The OnDemand training (the best security instructors in the world,
with a Tivo-like capability for instant replay) are extraordinarily
cost-effective for employers and satisfying for students. Since the
MacBook Air was the nicest thing I have ever done for my own computing
effectiveness (mostly because it did everything SOOO much faster than
any of my PCs) I suggested that the OnDemand folks give each of you a
MacBook Air when you sign up. That way you can take the course wherever
you find a Wifi signal. Surprise, they said yes.

THE REST OF THE WEEK'S NEWS

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 5 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home http://www.sans.org/san-francisco-2011/

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. http://www.sans.org/eu-scada-2011/

Privacy Tools Confusing to Users (November 3, 2011)

A report from Carnegie Mellon University found that most users are confused by Internet privacy tools. In a test of nine tools used to restrict online targeted advertising, the 45 users participating in the study were unsure of how to configure their options, often making choices that did not protect their privacy to the extent they wanted to, or in some cases, not protecting it at all. The study examined how users interacted with privacy setting options for Mozilla Firefox version 5, Internet Explorer 9, and a number of tools specifically designed to restrict behavioral advertising. On the whole, the tools did not provide clear descriptions for configuration, offering instead "jargon-filled technical explanations." -http://www.scmagazineus.com/internet-privacy-tools-too-confusing-for-most-users/article/215869/-http://www.cylab.cmu.edu/research/techreports/2011/tr_cylab11017.html[Editor's Note (Pescatore): Most of the products they tested aren't really "privacy tools", they are "tools to limit online behavioral advertising" - the term the authors started out using. Of the nine tools testing, 2 were from the advertising industry, 3 were from the browser vendors and only 5 were actually from sources focused on user privacy. Expecting privacy features from the advertising industry and the browser vendors is like looking to the salty snack industry for nutritional guidance. The tools that are actually focused on user privacy are complex because they are battling an advertising-funded Internet ecology, and that really won't change any time soon. (Liston): One of the biggest failings of our increasingly technological society is the creation of what I call the "Blinking 12:00" underclass. The divide between the man-on-the-street and technology has only increased since the days when people couldn't set the clock on their VCRs. While some progress has been made, the lack of a "common man" understanding of technology becomes more dangerous as our world becomes increasingly interconnected. ]

Those responsible for maintaining the infrastructure that Duqu relies upon are now using a server located in Belgium to store data collected by infected computers. Authorities in India recently seized equipment from a data center in Mumbai because of reports that a server there was communicating with Duqu-infected computers. The move to the Belgian server was discovered when Symantec found a Duqu sample that was configured to communicate with a certain server at Belgian web hosting company Combell Group. Symantec said it has notified the host and that the server was subsequently shut down. However, two employees at the Combell say the server is still actively communicating with other computers. One of the employees, speaking anonymously, said it appeared that someone who was controlling the server seemed to be deleting data to prevent useful communication logs from being generated. -http://www.reuters.com/article/2011/11/03/us-cyberattack-belgium-idUSTRE7A25KC20111103 Symantec's blog on Duqu has some good background material -http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit

According to a report to Congress from the US Office of the National Counterintelligence Executive, online industrial espionage emanating from China and Russia poses a threat to the US economy and national security. The report says that trade secrets and other intellectual property worth billions of dollars are being stolen from government agencies, companies, and research institutions. The report marks a change from the usual hesitancy to identify perpetrators, saying that "Chinese actors are the world's most active and persistent perpetrators of economic espionage, ...[and ] Russia's intelligence services are conducting a range of activities to collect economic information and technology from US targets." -http://www.washingtonpost.com/world/national-security/us-cyber-espionage-report-names-china-and-russia-as-main-culprits/2011/11/02/gIQAF5fRiM_story.html-http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/11/03/bloomberg_articlesLU347X6K50Z7.DTL[Editor's Note (Pescatore): The 1937 version of this headline said "US Intelligence Report Says China and Russia are Conducting Telephonic Espionage." (Honan and Paller): Most nation states, not just Russia and China, have been conducting espionage for many years; moving to computer based espionage is simply a natural progression. The focus should not be solely on who is committing espionage but rather on ensuring the defenses in place are adequate enough to protect sensitive data and systems and the response capabilities are good enough to detect and mitigate the impact of an attack. (Northcutt): Some rapid and serious work on developing air gap technologies to segment internal networks with sensitive information from anything Internet reachable needs to be put in place tomorrow. SANS has been doing this for some of our data since before I joined the company in January 2000, and NO, I will not give you details of our architecture, sorry. (Murray): Any nation state that is not using the Internet to gather intelligence is either derelict or incompetent. Espionage is what nation states do. What do you think the purpose of the NSA is? Given that we know, or ought to know this, our security is inadequate. ]

BT has begun its court-ordered blocking of Newzbin 2, a members-only website that facilitates access to pirated digital content. Newzbin 2 has called the block ineffective, saying that members are still able to access content through a workaround it made available earlier this fall. Newzbin 2 said that the majority of its users in the UK have downloaded the workaround. BT is using blocking technology called Cleanfeed that it already has in place to block child abuse sites. -http://www.bbc.co.uk/news/technology-15572495

The FBI and the US Attorney General's Office have been named winners of the 2011 US National Cybersecurity Innovation Award for their work in disabling the Coreflood botnet. The FBI obtained a temporary restraining order that allowed it to seize five Coreflood command-and-control servers and replace them with servers run by law enforcement officials, which allowed the government to communicate with infected computers and halt malicious activity. The order also allowed the government to send commands to disable Coreflood malware on users' computers after obtaining their permission. -http://www.prnewswire.com/news-releases/federal-bureau-of-investigation-and-the-us-attorney-generals-office-win-national-cybersecurity-innovation-award-133168328.html[Editor's Note (Murray): The Coreflood Takedown demonstrated that judicial supervision does not, as so many claim, impede law enforcement.]

DHS Developing Social Media Monitoring Guidelines (November 1, 2011)

The US Department of Homeland Security (DHS) is drawing up guidelines for gathering information from social networking sites without violating citizens' privacy. DHS made the decision to create the guidelines earlier this year when protesters in the Middle East and North Africa began to use sites like Facebook and Twitter to communicate and organize. DHS does not actively monitor the sites, but would turn to public sites to gather information when it learns of a potential threat. Although users may be unhappy with the practice, they should realize that what they post on the social networking sites is often within the public domain. -http://www.computerworld.com/s/article/9221374/DHS_to_set_up_policies_for_monitoring_Twitter_Facebook_?taxonomyId=84

Researchers from Microsoft have published a paper in which they describe a method of improving the security of end-to-end verifiable electronic voting systems. The idea is to add a procedure to the machines' routines that provides each voter with a receipt that includes a cryptographic hash of his or her ballot's content. Each ballot's hash is linked to the previous ballot's hash. The proposed fix is to reduce or eliminate "trash attacks," in which voter receipts that are thrown away as they exit polling places are retrieved by those who want to alter election results. The receipts allow voters to check their votes against a publicly available list. The tossed receipts are indications that the voters will not check the accuracy of their votes against the list and are good candidates for vote tampering. -http://www.theregister.co.uk/2011/11/01/electronic_voting_fraud_mitigation/-https://research.microsoft.com/pubs/155590/The%20Trash%20Attack.pdf[Editor's Note (Murray): A newly eligible voter was asked this week by the media what would get him to vote. He responded "SSL." Actually voting is the single most difficult security problem in all of IT. The e-voting problem is soluble as long as one does not impose upon it requirements that no other system can meet. E-voting and cryptography are the only problem sets from which we exclude all non-perfect solutions. ]

London's Metropolitan Police have been using surveillance technology that allows them to intercept cell phone communications and track users' locations through their mobile devices without requesting the data from mobile carriers. The technology, which covers up to 10 sq. km, tricks phones into thinking it is a legitimate cell phone tower. It can also be used to send a signal that shuts off mobile phones. It is unclear whether the system behaves as a man-in-the-middle while intercepting communications, or if the messages dead-end into the system. The Met Police did not offer details about when and where they have used the technology. -http://www.wired.com/threatlevel/2011/10/datong-surveillance/-http://www.guardian.co.uk/uk/2011/oct/30/metropolitan-police-mobile-phone-surveillance[Editor's Note (Murray): Not having to worry about a written constitution is a big advantage to the Met. They can do anything that parliament does not explicitly forbid. ]

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGUardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/